b'Summary: Information Assurance of Commercially Managed Collaboration Services for the Global Information Grid\nDepartment of Defense\nOffice of the Inspector General -- Audit\nInformation Assurance of Commercially Managed Collaboration Services for the Global Information Grid  - Report No. D-2006-084\n(Project No. D2006-D000AL-0114.000\n)\nDate: May 17, 2006\nWho Should Read This Report and Why? The DoD Chief Information Officer, Defense Information Systems Agency information technology and contracting officials, Chief Information Officers of DoD Components, and personnel responsible for overseeing DoD information assurance should read this report. The report will help the DoD information technology community establish a DoD information assurance process for commercial services.\nBackground.\xc2\xa0\xc2\xa0The attacks of September\xc2\xa011, 2001, imposed a powerful sense of urgency to transforming DoD. According to the Quadrennial Defense Review Report, DoD senior leaders believe one transformation for DoD should be to achieve net-centricity. Net-centricity is a term used for expressing an environment that is networked to enable a different approach to warfighting and business operations. The foundation for net-centric operations is the Global Information Grid, a globally interconnected, set of information capabilities, processes, and personnel that collects, processes, stores, disseminates and manages information on demand to warfighters, policy makers, and support personnel. The Global Information Grid supports all DoD, national security, and related intelligence community missions and functions as well as interfacing with coalition, allied, and non-DoD users and systems.\nTo help the warfighter, business, and intelligence users in DoD share information across the enterprise information environment on the Global Information Grid, the Defense Information Systems Agency initiated the Net-Centric Enterprise Services program in FY\xc2\xa02004. The Net-Centric Enterprise Services program will allow DoD users to share information using DoD internal networks\xe2\x80\x94the Non-secure Internet Protocol Router Network and the SECRET Internet Protocol Router Network. DoD initiated two\xc2\xa0pilot programs under the Net-Centric Enterprise Services program. Those programs would assess the feasibility of adapting to a net-centric environment through the use of commercially managed and hosted services for collaboration services on the Global Information Grid.\nIn October\xc2\xa02004, DISA awarded a contract for the Next Generation Collaboration Services Pilot (first collaboration pilot). The contract award was a major step toward DoD achieving net-centric capabilities under the Net-Centric Enterprise Services program. The first collaboration pilot represented an attempt by DoD to provide a service-based, commercially managed, and commercially hosted capability on DoD networks. In December\xc2\xa02005, DISA issued a Request for Quotes for the Net-Centric Enterprise Service Collaboration Service (second collaboration pilot). The second collaboration pilot would procure a Web-accessible, commercially managed collaboration service for the unclassified and classified networks. The contract award for the second collaboration pilot is expected in March\xc2\xa02006.\nResults. DoD initiated acquisition efforts for the Net-Centric Enterprise Services commercially managed collaboration services for the Global Information Grid prematurely and without regard for DoD or Federal policy. As a result, acquisition of commercially managed collaboration services could expose the DoD Global Information Grid, as well as interconnecting systems and users of coalition, allied, non-DoD, Federal agencies, and state and local entities, to significant and unmitigated security risks. Implementing the recommendations would allow DoD to acquire commercially managed collaboration services without significant security risks to the Global Information Grid. See the Finding section of the report for the detailed recommendations.\nDuring the review, we identified a number of additional areas of concern. In the interest of timely publication of this report and due to the classified nature of the information, those areas of concern are identified in Appendix\xc2\xa0E. The appendix may be made available to interested parties on a \xe2\x80\x9cneed-to-know\xe2\x80\x9d basis as determined by the DoD Office of the Inspector General.\nManagement\xc2\xa0Comments and Audit Response.\xc2\xa0\xc2\xa0The Director, Joint Staff partially concurred with one recommendation and nonconcurred with one recommendation. The Deputy Assistant Secretary of Defense for Networks and Information Integration/Deputy Chief Information Officer, responding for the Assistant Secretary of Defense for Networks and Information Integration/Chief Information Officer, nonconcurred with four\xc2\xa0recommendations and partially concurred with three\xc2\xa0recommendations. The Chief of Staff, National Security Agency, responding for the Director, National Security Agency, concurred with all our recommendations. The Under Secretary of Defense for Acquisition, Technology, and Logistics and the Under Secretary of Defense for Intelligence did not respond to the draft report.\nThe Director, Joint Staff and the Deputy Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer comments were partially responsive. The National Security Agency comments were responsive. We request additional comments from the Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer on Recommendations\xc2\xa01.a., 1.b., 1.d., and\xc2\xa04., from the Director, Joint Staff on Recommendation\xc2\xa04., and that the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Under Secretary of Defense for Intelligence provide comments to the final report by June\xc2\xa014, 2006.\nThe Deputy Assistant Secretary of Defense for Networks and Information Integration/Deputy Chief Information Officer also provided comments on the finding section of the report. We considered the Deputy Assistant Secretary of Defense for Networks and Information Integration/Deputy Chief Information Officer comments but did not change the report based on those comments. The facts of the report were supported by source documents obtained during the audit. See the Finding section of the report for a discussion of management comments and the Management Comments section of the report for the complete text of the comments.\nReturn to Report Index\nAny comments or suggestions should be sent to: auditnet@dodig.mil'